CyberWire Daily - Playing doctor with cyberattacks.
Episode Date: July 25, 2024A North Korean hacking group targets healthcare, energy and finance. Leaked Leidos documents surface on the dark web. A Middle Eastern financial institution suffered a record-breaking DDoS attack. The... latest tally on the fallout from the Crowdstrike outage. A cybersecurity audit of HHS reveals significant cloud security gaps. Docker patches a critical vulnerability for the second time. Google announced enhanced protections for Chrome users. In our latest Threat Vector segment, David Moulton speaks with Sama Manchanda, a Consultant at Unit 42, to explore the evolving landscape of social engineering attacks. If you’re heading to Paris for the Summer Olympics, smile for the AI cameras. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In this segment of Threat Vector, David Moulton, Director of Thought Leadership at Unit 42, engages with Sama Manchanda, a Consultant at Unit 42, to explore the evolving landscape of social engineering attacks, particularly focusing on vishing and smishing. As election season heats up, these threats are becoming more sophisticated, exploiting our reliance on mobile devices and psychological tactics. Sama provides expert insights into the latest trends, the psychological manipulations used in these attacks, and the specific challenges they pose to individuals and the democratic process. You can listen to Threat Vector every Thursday starting next week on the N2K CyberWire network. Check out the full episode with David and Sama here. Selected Reading Mandiant: North Korean Hackers Targeting Healthcare, Energy (BankInfo Security) Data pilfered from Pentagon IT supplier Leidos (The Register) DDoS Attack Lasted for 6 Days, Record created for the duration of the Cyberattack (Cyber Security News) Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure (CrowdStrike) Fortune 500 stands to lost $5bn plus from CrowdStrike incident (Computer Weekly) HHS audit finds serious gaps in cloud security at agency office (SC Media) Docker re-fixes a critical authorization bypass vulnerability (CSO Online) Google Boosts Chrome Protections Against Malicious Files (SecurityWeek) At The 2024 Summer Olympics, AI Is Watching You (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A North Korean hacking group targets healthcare, energy, and finance.
Leaked Leidos documents surface on the dark web.
A Middle Eastern financial institution suffered a record-breaking DDoS attack.
The latest tally on the fallout from the CrowdStrike outage.
A cybersecurity audit of HHS reveals significant cloud security gaps.
Docker patches a critical vulnerability for the second time.
Google announced enhanced protections
for Chrome users.
In our latest Threat Vector segment,
David Moulton speaks with Sama Mankata,
a consultant at Unit 42,
to explore the evolving landscape
of social engineering attacks.
And if you're heading to Paris
for the Summer Olympics,
smile for the AI cameras.
It's Thursday, July 25th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. It is great to have you with us. A report from Mandiant reveals that the North Korean hacking group Andariel, previously known for attacks on government
and critical infrastructure,
is now targeting healthcare, energy,
and financial sectors.
This group, linked to the DPRK's
Reconnaissance General Bureau,
has been sanctioned by the U.S. Treasury.
Known for sophisticated cyber operations,
Andariel employs advanced tools
to evade detection and maximize impact.
Mandiant, part of Google, tracks Andariel's espionage efforts, including targeting nuclear
facilities and defense systems. Now designated as APT45, Andariel has expanded to financially
motivated operations, including ransomware. Since at least 2009, Andariel has
operated under various codenames and is linked to the infamous Lazarus Group. North Korea uses
these cyberattacks to fund weapons development and boost its economy. The group's activities
have broadened since a suspected COVID-19 outbreak in North Korea, now encompassing
the healthcare sector. Mandiant warns that Andariel can swiftly shift its focus to new targets.
After a recent security breach, internal documents from Leidos Holdings, an IT services provider for
the Department of Defense and other U.S. agencies, have surfaced on the
dark web. The breach traces back to a 2022 cyber attack on Diligent Corporation, a governance
software provider used by Leidos. Despite the attack occurring two years ago, Leidos only became
aware of the circulating documents recently. Following this revelation, Leidos issued all necessary breach notifications.
Most of the leaked information pertains to internal corporate matters,
such as employee reviews and complaints,
rather than any militarily sensitive data.
This incident has drawn attention to Leidos,
one of the defense industry's largest IT service providers,
after its merger with Lockheed Martin's Information Systems and Global Solutions
back in 2016. Based in Reston, Virginia, Leidos employs about 47,000 people
and reported $15.4 billion in revenue in 2023. A Middle Eastern financial institution suffered a record-breaking six-day DDoS attack
by the hacktivist group SN Black Meta. This prolonged assault, consisting of 10 waves and
totaling 100 hours of attack time, demonstrates the growing sophistication of DDoS. The attack
peaked at 14.7 million malicious requests per second, significantly disrupting the
institution's web services. Radware's web DDoS protection services helped mitigate the impact,
blocking over 1.25 trillion malicious requests. SN Black Meta, known for ideologically driven
attacks, announced the assault on Telegram.
Their tactics include targeting critical infrastructure and leveraging public support through transparency.
CrowdStrike warns organizations about a fake recovery manual for Windows devices impacted by a Falcon Platform update outage,
which spreads DaoPu information-stealing malware.
Attackers used phishing emails with a malicious Word attachment
mimicking Microsoft's support bulletin.
When enabled, the attachment's macros download a DLL file
decoded by Windows CertUtil,
allowing Daopu to infiltrate browser-stored credentials and cookies. CrowdStrike provided a
Yara rule and indicators of compromise. Bleeping Computer suggests Daopu may originate from Vietnam.
According to cloud monitoring, modeling, and insurance services provider Parametrix,
the July 19 Microsoft CrowdStrike outage resulted in a direct financial
loss of approximately $5.4 billion for Fortune 500 companies, with an average loss of $44 million
per organization, rising to $150 million for the most affected, such as airlines.
Parametrix reported that only 10 to 20 percent of these losses are
covered by cyber insurance. The healthcare sector faced the largest loss at $1.94 billion,
followed by banking at $1.15 billion. The incident impacted a quarter of Fortune 500 companies,
including all six major airlines and 43 percent of retailers. Observers say this highlights
the need for better risk diversification and management in the face of systemic cyber events.
A cybersecurity audit of the Department of Health and Human Services Office of the Secretary
revealed significant cloud security gaps exposing sensitive data to potential cyber attacks.
Conducted in mid-2022 by the HHS Office of the Inspector General and Breakpoint Labs,
the audit included penetration testing and phishing simulations.
It found that over 30% of HHS systems were cloud-based,
with vulnerabilities like lack of multi-factor
authentication and poor access controls. Twelve specific security gaps were identified,
with the most critical involving network access. Despite some positive outcomes from phishing
simulations, the audit highlighted severe risks to HHS's cloud systems, emphasizing the need for improved security measures.
This report, publicly released this week, comes amid increasing cyber threats to healthcare and
government systems, prompting initiatives to bolster defenses. As a side note, it's puzzling
that the audit report on HHS's cloud security, conducted in mid-2022 has taken two years to be released. In the rapidly
evolving field of cybersecurity, such a delay undermines the relevance of the findings and
recommendations. Cyber threats and vulnerabilities can change drastically in just months, making it
critical for audit results to be timely to ensure effective remediation and adaptation to current risks.
Docker has urged users to patch a critical vulnerability affecting certain Docker Engine
versions, allowing privilege escalation via specially crafted API requests. Discovered in
2018 and initially fixed in Docker Engine version 18.09.1,
the patch was not included in later versions, leading to a regression.
This flaw allows attackers to bypass authorization plugins and execute unauthorized commands.
Although the exploitability is low,
Docker recommends updating to the latest version or restricting API access if updating
isn't possible. Google has announced enhanced protections for Chrome users against malicious
file downloads. Since last year, Chrome has provided AI-powered warnings for potentially
harmful files featuring distinct icons, colors, and text to help users make informed decisions.
These warnings have reduced the number of bypassed alerts and increased user compliance.
Google now performs automatic deep scans on suspicious files for users in the Enhanced
Protection mode, which has proven effective in detecting new malware. For password-protected
encrypted archives,
enhanced protection users are prompted to send the file and password to safe browsing,
while standard protection users receive a password prompt and metadata check.
All uploaded data is deleted shortly after scanning to ensure privacy.
ensure privacy. Coming up after the break on the threat vector segment, David Moulton speaks with Sama Mankata, consultant at Unit 42, to explore the evolving landscape of social engineering attacks.
Stay with us. Real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
David Moulton is host of the Threat Vector podcast right here on the N2K Cyber Wire network.
In this segment from their most recent episode,
David speaks with Sama Mankata, a consultant at Uni42.
They explore the evolving landscape of social engineering attacks.
There are three main parts to a phishing attack.
There's the bait, the hook, and the catch.
The bait being the preparation,
the juicy bait that someone falls for.
With the hook, the attacker has got the information
that they need to get the attention of the user
and then get them to do something.
And this is the catch part, whether it's performing an action, clicking a link, something like that.
Once the user has actually clicked and fallen for the hook, that's when the actual attack happens.
The bait, the hook, the catch.
Welcome to Threat Factor, the Palo Alto Network's podcast where we discuss pressing cybersecurity threats, cyber resilience, and uncover insights into the latest industry trends.
I'm your host, David Moul the evolving landscape of social engineering attacks,
particularly focusing on vishing and smishing. As we approach the election season, the relevance of these threats has never been higher. We'll discuss how these techniques have adapted and grown more sophisticated over time,
the psychological tactics behind them, and the specific challenges they pose to both individuals and the integrity of the democratic process.
Joining us once again is Sama Manchata, a seasoned expert in cybersecurity from Unit 42.
Sama will shed light on the latest trends and provide insights into how to protect yourself
and your organization from these insidious threats.
Here's our conversation.
Samman Manchata, welcome back to Threat Vector.
It's been a while since you've joined us on the pod
and we're back today to talk about vishing, smishing,
kind of an update to our original smish tales, especially as we're looking at the election season coming up.
Glad to be back.
And thank you for having me back.
Always excited to talk about social engineering, you know, the vishing, fishing, smishing.
We're talking about elections and vishing and some of the dangers that are lurking on your phone.
And maybe we start out with this idea of what is smishing and how does it differ from maybe traditional phishing or even phishing?
Yeah. So smishing in general is the SMS form or message form of phishing.
And we've talked about phishing before.
And we've talked about phishing before.
Phishing really is a social engineering scam where an attacker usually convinces or deceives people into revealing some kind of sensitive information or doing something that they weren't, you know, intending to do.
Some can be installing malware.
It could be getting them to enter credentials, all that kind of good stuff. But very similar to phishing, again, is smishing, where usually phishing we see on an email platform,
usually of some kind.
Smishing is pretty similar, usually just comes in the form of a text message instead.
How do psychological tactics play into manipulating a recipient for a phishing attack?
That's one of the main reasons it's so successful is, again, it preys upon the weaknesses of people and just in general.
There's a lot of common tactics that we see across the board.
So things like scare tactics or, you know, creating a sense of urgency hones in on the user's fear of something
happening that's not supposed to happen. Like, oh, this is super urgent. Somebody needs something.
And, you know, I don't want to get in trouble because of this. It could also be, again, just
playing into, you know, someone not noticing that something is off or different because maybe
they're in a rush. That's one of those things
where smishing, I think, is particularly successful, where it's, again, like you're
on your phone. And like we mentioned earlier, it's a lot harder sometimes when you're on a
phone to be thinking about like, oh, maybe I should hover over this link and really think
about where it's going. On an email, it's much easier to do that. So you're just like, oh,
about where it's going.
On an email, it's much easier to do that.
So you're just like,
oh, I'm in the middle of doing something and this came up and I just was distracted.
So, and I think, and then again,
attackers, they're really good at their job also
at the end of the day.
This is what they specialize in.
So they've got a good handle
on using people's weaknesses against it.
And that's the entire premise of social engineering
is finding different things that, you know,
people will fall for and what ultimately
is successful enough for them to get there
and put in the door.
How do attackers leverage current events
and misinformation to enhance
the effectiveness of their attacks?
That's, I think, that's, again, that's one of the ways that they stay relevant.
They use information that's going on to build credibility and come across as a legitimate
source rather than just, again, trying to go straight for the information.
That's part of like their bait is saying, like, for example, like there's a hurricane
that's coming of like their bait is saying like for example like there's a hurricane that's coming in right and they you know they can use that as like a oh okay like
whether as an attacker they're spreading misinformation or they're you know trying
to get the user to do something i like donate money or like put their money somewhere type of
thing using something that's like a current event, that just lowers the people are used to that.
People are used to, you know, elected people who are campaigning using events like this to sort of to further their own goal.
Whether that is spreading information of some kind or influencing the voter in some way about maybe a person, a candidate or about the process in general.
Or also it could also be, again, masquerading to get a donation.
This is, again, a very popular time for campaigns to be soliciting donations
and reaching out to all, you know, people from everywhere.
So they're just not as maybe aware that, again,
attackers are also doing the same thing, and they're just hoping that a aware that, again, attackers are also doing the same thing.
And they're just they're hoping that a person doesn't notice, essentially, that they're maybe putting their money somewhere where they're not supposed to be or they're sharing information with a source that they shouldn't be.
So looking ahead, what predictions do you have or do you have any emerging trends that you foresee in the evolution of cyber threats targeting elections?
I think, you know, we're seeing this become more and more common.
This is becoming a big topic every single election season, both in our general elections, our midterm elections, local elections, everything.
And the fact that, you know, this is becoming more and more common and more and more prevalent I don't think it's going to stop anytime soon this is where we see things happening here
in the U.S. we tend to see the same patterns in other countries as well it's especially important
to educate people that again to just be aware knowing that these threats are out there knowing
that maybe everything that you see on the internet isn't always true and not taking everything at face value.
I think those are lessons that go a long way.
Being a little bit skeptical, maybe, but not too skeptical is usually a good practice.
Sama, what's the most important lesson a listener should take away from our conversation today?
My big takeaway is if you're not sure, don't click it.
Sama, thanks for coming back on Threat Vector today.
As always, it's a pleasure to talk to you.
Hopefully the tennis game continues to be fun over the summer.
And I know our listeners are like me,
really interested in this topic
and grateful that an expert like you would share
your insights and opinions on this super important topic. really interested in this topic and grateful that an expert like you would share your
insights and opinions on this super important topic.
No, thank you so much for having me. It's always a pleasure chatting with you.
That's it for Threat Vector today. Thank you for joining and stay tuned for more episodes.
If you like what you heard, please subscribe wherever you listen to your podcast and leave us a review
on Apple Podcasts
or Spotify.
Your reviews and feedback
really do help us understand
what you want to hear about.
I want to thank
our executive producer,
Michael Heller.
I edit the show
and Elliot Peltzman
mixes the audio.
We'll be back in two weeks.
Until then,
stay secure,
stay vigilant.
Goodbye for now.
then, stay secure, stay vigilant. Goodbye for now. Be sure to check out the Threat Vector podcast wherever you get your favorite podcasts.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, Matthias Hollier is co-founder of Wintix,
one of four French companies to win Olympic contracts to transform Paris' CCTV cameras into a high-tech monitoring
tool for the Olympics. With thousands of cameras, it's impossible for police officers to react to
every camera, Hollier says. Wintix first made a splash in 2020 by helping Paris count cyclists
with algorithms linked to 200 traffic cameras. Now they're stepping up to count people
in crowds and alert operators when too many hit the deck. Hollier assures us there's no big brother
decision-making happening here. It's just anonymous shapes, he says. His team trained ministry
officials on the software, which just raises alerts for the humans to check out. He argues it's a privacy-friendly alternative to facial recognition,
saying,
We're not analyzing personal data.
No faces.
No license plates.
No behavioral analytics.
Privacy activists, however, are not buying it.
Naomi Levant, a staunch defender of civil liberties,
is on a mission with 6,000 posters to warn Parisians about algorithmic surveillance.
She contends that analyzing images of people inherently involves personal data, likening it to facial recognition technology.
Levant fears these surveillance systems will linger long after the Olympians have left.
will linger long after the Olympians have left.
She says this technology will reproduce the stereotypes of the police,
arguing that it will amplify discriminatory practices.
As Parisians brace for the Olympic invasion,
many, like Levant, plan to escape to the South,
dreading the post-game surveillance city they'll return to.
The Olympics is an excuse, she asserts.
The government, companies, and police are already thinking about after.
It's the age-old tension between security and privacy, gold medal edition.
For me, I'll be watching the game on the TV and hoping the river stays clean enough so they can run the triathlon.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K's Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law
enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music
and sound design
by Elliot Peltzman.
Our executive producer
is Jennifer Iben.
Our executive editor
is Brandon Karp.
Simone Petrella
is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.